With the upcoming cyber risk requirements from the International Maritime Organisation (IMO), certain yachts have until 1 January 2021 to incorporate cyber risk management into their Safety Management Systems (SMS). DNV GL recently hosted a webinar outlining the cyber security landscape in the superyacht segment and the ISM Code implementation.

The IMO Resolution MSC.428(98) recalls the purpose and objectives of the ISM Code, and encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company's Document of Compliance (after 1 January 2021). SOLAS defines which ships must apply with the ISM Code as vessels used for commercial operations, vessels with more than 12 passengers, vessels of 500gt and over, as well as other vessels with individual flag state requirements.

While not all yachts have to comply with the cyber security resolution under the ISM code, Jarle Blomhoff, group leader cyber safety and security at DNV GL, asserted that cyber security is relevant for the whole superyacht industry. “Superyachts and the maritime industry can be attractive targets for cyber criminals, so it is something we need to take care of to keep vessels safe,” he explained, adding that the particular risk factors for superyachts include UHNWIs on board and the increased complexity of vessels with more software, automation and connectivity.

In order to be compliant with MSC.428(98), vessels must identify vessel cyber security objectives, make an inventory of systems and software and execute a cyber risk assessment, which involves identifying target
on-board systems, analysing the likelihood and consequence of a system compromise, determining the initial risk level of each system and suggesting measures and calculating residual risk.

During the webinar, Svante Einarsson, team leader cyber security at DNV GL, used the example of a cyber risk assessment for an Azipod propulsion and steering system. By conducting a cyber risk assessment, it would be concluded that the consequence of a cyber attack could be system failure, which could cause grounding or collision. The likelihood of such an incident is high due high connectivity, data exchange with the outside, USB ports, Ethernet connection and system updates.

While the initial risk assessment is, therefore, very high, Einarsson adds that the risk can be mitigated through applying logical network segregation, enforcing requirements to suppliers, performing drills for key cyber security procedures and developing cyber security competences, roles and responsibilities.

The webinar offered further valuable advice on how superyachts can build cyber security resilience. Listen to the full DNV GL webinar here. 

Profile links

DNV

Click here to become part of The Superyacht Group community, and join us in our mission to make this industry accessible to all, and prosperous for the long-term. We are offering access to the superyacht industry’s most comprehensive and longstanding archive of business-critical information, as well as a comprehensive, real-time superyacht fleet database, for just £10 per month, because we are One Industry with One Mission. Sign up here.